Blocking of WMF

Randal, Phil prandal at herefordshire.gov.uk
Tue Mar 17 12:33:44 GMT 2009


Should be OK (until next WMF vulnerability is discovered) if you have
MS09-006 applied.

http://www.microsoft.com/technet/security/Bulletin/ms09-006.mspx

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal at herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jethro
R Binks
Sent: 17 March 2009 12:18
To: mailscanner at lists.mailscanner.info
Subject: Blocking of WMF

For a long time we've had the following rule enabled:

# JKF 01/01/2006 Another Microsoft security vulnerability
deny    \.wmf$          Windows Metafile security vulnerability
                        Possible format attack in Windows

More and more we are finding that .WMFs are being discovered in the
zipfile that MS Office 2007 documents are composed of.  This MS kb
article alludes to one particular issue relating to "thumbnail.wmf"
being
detected:

  http://support.microsoft.com/kb/934284

but we very often see "image1.wmf", "image2.wmf", etc discovered too.

Very often, the sending user is completely oblivious to the presence of
images in the document (zip file), nor what to do to remove them or save
them as something else, and at least in the case of the "thumbnail.wmf" 
content, this is something that the application itself has generated
without the user knowing about it.

So my question is twofold:

1. do other sites have this issue and what do they do about it;

2. is blocking of .WMF justified these days, given that patches for the
potential vulnerability have been available for many years now.  Is it
still being actively exploited?

Thoughts welcome,

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
.
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


More information about the MailScanner mailing list